Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-04-02 19:41:14

TelxonHacker
Contributor
From: Central US
Registered: 2020-02-19
Posts: 34

Odd iclass fob dump.

I dumped a legacy Iclass fob, and was quite surprised at what I got. This was dumped using the default KD master key only.

------+--+-------------------------+          
CSN   |00| 77 28 49 02 F8 FF 12 E0 |          
[=] ------+--+-------------------------+----------          
[=]       |01| 94 F6 FF FF FF FF FF FF | ........          
[=]       |02| 94 F6 FF FF FF FF FF FF | ........          
[=]       |03| 7A 27 A7 12 19 07 72 44 | z'....rD          
[=]       |04| FF FF FF FF FF FF FF FF | ........          
[=]       |05| FF FF FF FF FF FF FF FF | ........          
[=]       |06| 03 03 03 03 00 03 E0 17 | ........          
[=]       |07| 71 CB 49 31 9F BB 17 20 | q.I1...           
[=]       |08| 2A D4 C8 21 1F 99 68 71 | *..!..hq          
[=]       |09| 2A D4 C8 21 1F 99 68 71 | *..!..hq          
[=]       |0A| FF FF FF FF FF FF FF FF | ........          
[=]       |0B| FF FF FF FF FF FF FF FF | ........          
[=]       |0C| FF FF FF FF FF FF FF FF | ........          
[=]       |0D| FF FF FF FF FF FF FF FF | ........          
[=]       |0E| FF FF FF FF FF FF FF FF | ........          
[=]       |0F| FF FF FF FF FF FF FF FF | ........          
[=]       |10| FF FF FF FF FF FF FF FF | ........          
[=]       |11| FF FF FF FF FF FF FF FF | ........          
[=]       |12| FF FF FF FF FF FF FF FF | ........          
[=]       |13| FF FF FF FF FF FF FF FF | ........          
[=]       |14| FF FF FF FF FF FF FF FF | ........          
[=]       |15| FF FF FF FF FF FF FF FF | ........          
[=]       |16| FF FF FF FF FF FF FF FF | ........          
[=]       |17| FF FF FF FF FF FF FF FF | ........          
[=]       |18| FF FF FF FF FF FF FF FF | ........          
[=]       |19| FF FF FF FF FF FF FF FF | ........          
[=]       |1A| FF FF FF FF FF FF FF FF | ........          
[=]       |1B| FF FF FF FF FF FF FF FF | ........          
[=]       |1C| FF FF FF FF FF FF FF FF | ........          
[=]       |1D| FF FF FF FF FF FF FF FF | ........          
[=]       |1E| FF FF FF FF FF FF FF FF | ........          
[=]       |1F| FF FF FF FF FF FF FF FF | ........          
[=]       |20| 77 28 49 02 F8 FF 12 E0 | w(I.....          
[=]       |21| 12 FF FF FF 7F 1F FF 3C | .......<          
[=]       |22| 94 F6 FF FF FF FF FF FF | ........          
[=]       |23| FF FF FF FF FF FF FF FF | ........          
[=]       |24| FF FF FF FF FF FF FF FF | ........          
[=]       |25| FF FF FF FF FF FF FF FF | ........          
[=]       |26| 03 03 03 03 00 03 E0 17 | ........          
[=]       |27| 71 CB 49 31 9F BB 17 20 | q.I1...           
[=]       |28| 2A D4 C8 21 1F 99 68 71 | *..!..hq          
[=]       |29| 2A D4 C8 21 1F 99 68 71 | *..!..hq          
[=]       |2A| FF FF FF FF FF FF FF FF | ........          
[=]       |2B| FF FF FF FF FF FF FF FF | ........          
[=]       |2C| FF FF FF FF FF FF FF FF | ........          
[=]       |2D| FF FF FF FF FF FF FF FF | ........          
[=]       |2E| FF FF FF FF FF FF FF FF | ........          
[=]       |2F| FF FF FF FF FF FF FF FF | ........          
[=]       |30| FF FF FF FF FF FF FF FF | ........          
[=]       |31| FF FF FF FF FF FF FF FF | ........          
[=]       |32| FF FF FF FF FF FF FF FF | ........          
[=]       |33| FF FF FF FF FF FF FF FF | ........          
[=]       |34| FF FF FF FF FF FF FF FF | ........          
[=]       |35| FF FF FF FF FF FF FF FF | ........          
[=]       |36| FF FF FF FF FF FF FF FF | ........          
[=]       |37| FF FF FF FF FF FF FF FF | ........          
[=]       |38| FF FF FF FF FF FF FF FF | ........          
[=]       |39| FF FF FF FF FF FF FF FF | ........          
[=]       |3A| FF FF FF FF FF FF FF FF | ........          
[=]       |3B| FF FF FF FF FF FF FF FF | ........          
[=]       |3C| FF FF FF FF FF FF FF FF | ........          
[=]       |3D| FF FF FF FF FF FF FF FF | ........          
[=]       |3E| FF FF FF FF FF FF FF FF | ........          
[=]       |3F| FF FF FF FF FF FF FF FF | ........          
[=]       |40| 77 28 49 02 F8 FF 12 E0 | w(I.....          
[=]       |41| 12 FF FF FF 7F 1F FF 3C | .......<          
[=]       |42| 94 F6 FF FF FF FF FF FF | ........          
[=]       |43| FF FF FF FF FF FF FF FF | ........          
[=]       |44| FF FF FF FF FF FF FF FF | ........          
[=]       |45| FF FF FF FF FF FF FF FF | ........          
[=]       |46| 03 03 03 03 00 03 E0 17 | ........          
[=]       |47| 71 CB 49 31 9F BB 17 20 | q.I1...           
[=]       |48| 2A D4 C8 21 1F 99 68 71 | *..!..hq          
[=]       |49| 2A D4 C8 21 1F 99 68 71 | *..!..hq          
[=]       |4A| FF FF FF FF FF FF FF FF | ........          
[=]       |4B| FF FF FF FF FF FF FF FF | ........          
[=]       |4C| FF FF FF FF FF FF FF FF | ........          
[=]       |4D| FF FF FF FF FF FF FF FF | ........          
[=]       |4E| FF FF FF FF FF FF FF FF | ........          
[=]       |4F| FF FF FF FF FF FF FF FF | ........          
[=]       |50| FF FF FF FF FF FF FF FF | ........          
[=]       |51| FF FF FF FF FF FF FF FF | ........          
[=]       |52| FF FF FF FF FF FF FF FF | ........          
[=]       |53| FF FF FF FF FF FF FF FF | ........          
[=]       |54| FF FF FF FF FF FF FF FF | ........          
[=]       |55| FF FF FF FF FF FF FF FF | ........          
[=]       |56| FF FF FF FF FF FF FF FF | ........          
[=]       |57| FF FF FF FF FF FF FF FF | ........          
[=]       |58| FF FF FF FF FF FF FF FF | ........          
[=]       |59| FF FF FF FF FF FF FF FF | ........          
[=]       |5A| FF FF FF FF FF FF FF FF | ........          
[=]       |5B| FF FF FF FF FF FF FF FF | ........          
[=]       |5C| FF FF FF FF FF FF FF FF | ........          
[=]       |5D| FF FF FF FF FF FF FF FF | ........          
[=] ------+--+-------------------------+----------

I've never seen one this long, and it's only a 2K tag!

Here's the tag info:

[+]    CSN: 77 28 49 02 F8 FF 12 E0           
[+]     CC: 94 F6 FF FF FF FF FF FF           
[+]     Mode: Application [Locked]          
[+]     Coding: ISO 14443-2 B/ISO 15693          
[+]     Crypt: Secured page, keys not locked          
[!]     RA: Read access not enabled          
 Mem: 2 KBits/2 App Areas (31 * 8 bytes) [1F]          
    AA1: blocks 06-12          
    AA2: blocks 13-1F          
    OTP: 0xFFFF          
    KeyAccess:          
    Read A - Kd or Kc          
    Read B - Kd or Kc          
    Write A - Kc          
    Write B - Kc          
    Debit  - Kd or Kc          
    Credit - Kc          
[+]  App IA: FF FF FF FF FF FF FF FF           
[+]       : Possible iClass - legacy credential tag          
[+]       : Tag is iClass , CSN is in HID range    

this lines up with my other iclass tags.

My question, are the extra blocks  read by the reader, or just blocks 03-09 as usual? the config block also seems odd to me.

Offline

#2 2020-04-03 00:52:55

grauerfuchs
Contributor
Registered: 2018-08-28
Posts: 50

Re: Odd iclass fob dump.

This looks about right to me, except for  the length. Look at the pattern. It appears that for whatever reason, you got multiple reads chained over. The tag does likely stop on block 1F.

The config block and the card data look about right for an encrypted HID iClass legacy credential. What makes you think it's odd?

Offline

#3 2020-04-03 00:57:48

TelxonHacker
Contributor
From: Central US
Registered: 2020-02-19
Posts: 34

Re: Odd iclass fob dump.

I just found the repeating pattern odd, all of my other iclass creds just go to block 1F if I dump using only the debit key.

Offline

#4 2020-04-03 08:26:21

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Odd iclass fob dump.

Looks like you are running the hf iclass readtag Odd output with the blocks.

I updated the cmd,   try using verbose output.     

[usb] pm3 --> hf iclass readtag
Print a iClass tag-dump file

Usage: hf iClass readtagfile [f <filename>] [s <startblock>] [e <endblock>] [v]

Options:
  h                Show this help
  f <filename>     filename of dump
  s <startblock>   print from this block (default block6)
  e <endblock>     end printing at this block (default 0, ALL)
  v                verbose output
Examples:
        hf iclass readtagfile f hf-iclass-AA162D30F8FF12F1-dump.bin
        hf iclass readtagfile s 1 f hf-iclass-AA162D30F8FF12F1-dump.bin

Offline

#5 2020-04-03 23:19:47

TelxonHacker
Contributor
From: Central US
Registered: 2020-02-19
Posts: 34

Re: Odd iclass fob dump.

I ran HF iclass dump with the default master key to get the first output. wouldn't reading the dump file just show the same output?

Offline

#6 2020-04-04 05:51:33

iceman
Administrator
Registered: 2013-04-25
Posts: 9,537
Website

Re: Odd iclass fob dump.

Even more interesting,  the file size is way too large. Something must have gone wrong what you dumped the tag.
Its repeating the data over and over.  It seems to have missed the first blocks read and thought you had a 0xFF, and tried to read that many blocks.

Offline

#7 2020-04-04 21:48:59

TelxonHacker
Contributor
From: Central US
Registered: 2020-02-19
Posts: 34

Re: Odd iclass fob dump.

I thought the same too, there's more data than on my 16k tag. This is a friend's fob, they wanted to see if I could clone it, so I don't have it currently.

Offline

Board footer

Powered by FluxBB